Managing access to documents with a file monitor

ABSTRACT

Disclosed herein is a system and method that can retrieve, via a file monitor, a file and policy data from a case management system or a content management system, wherein the file and the policy data are retrieved in response to detecting a user request for the file. A processor can also modify, via the file monitor, access to the file based on the policy data, and intercept a plurality of document management instructions executed with the file. The processor can also detect at least one of the document management instructions is a malicious action, wherein the malicious action is detected based on the policy data, wherein the policy data is updated in response to detecting each of the document management instructions. Additionally, the processor can execute a policy instruction to prevent execution of the at least one document management instruction.

BACKGROUND

The present disclosure relates to managing access to documents, and morespecifically, but not exclusively, to managing access to documents witha file monitor.

SUMMARY

According to an embodiment described herein, a system for managingaccess to documents can include a processor to retrieve, via a filemonitor, a file and policy data from a case management system or acontent management system, wherein the file and the policy data areretrieved in response to detecting a user request for the file. Theprocessor can also modify, via the file monitor, access to the filebased on the policy data and intercept, via the file monitor, aplurality of document management instructions executed with the file.Additionally, the processor can detect, via the file monitor, at leastone of the document management instructions is a malicious action,wherein the malicious action is detected based on the policy data. Insome examples, the policy data is updated in response to detecting eachof the document management instructions. Furthermore, the processor canexecute, via the file monitor, a policy instruction to prevent executionof the at least one document management instruction.

According to another embodiment, a method for managing access todocuments can include retrieving, via a file monitor, a file and policydata from a case management system or a content management system,wherein the file and the policy data are retrieved in response todetecting a user request for the file. The method can also includemodifying, via the file monitor, access to the file based on the policydata and intercepting, via the file monitor, a plurality of documentmanagement instructions executed with the file. Additionally, the methodcan include detecting, via the file monitor, at least one of thedocument management instructions is a malicious action, wherein themalicious action is detected based on the policy data, wherein thepolicy data is updated in response to detecting each of the documentmanagement instructions. Furthermore, the method can include executing,via the file monitor, a policy instruction to prevent execution of theat least one document management instruction.

According to another embodiment, a computer program product for managingaccess to documents can include a computer readable storage mediumhaving program instructions embodied therewith, wherein the computerreadable storage medium is not a transitory signal per se. The programinstructions can be executable by a processor to cause the processor tohook into event calls or modify an operating system to execute the filemonitor, wherein the file monitor is to monitor, at a kernel level ofthe operating system, a plurality of system calls involving locallystored files. The program instructions can also be executable by aprocessor to cause the processor to retrieve, via a file monitor, a fileand policy data from a case management system or a content managementsystem, wherein the file and the policy data are retrieved in responseto detecting a user request for the file. The program instructions canalso be executable by a processor to cause the processor to modify, viathe file monitor, access to the file based on the policy data andintercept, via the file monitor, a plurality of document managementinstructions executed with the file. Additionally, the programinstructions can be executable by a processor to cause the processor todetect, via the file monitor, at least one of the document managementinstructions is a malicious action, wherein the malicious action isdetected based on the policy data. In some examples, the policy data isupdated in response to detecting each of the document managementinstructions. The program instructions can also cause the processor toexecute, via the file monitor, a policy instruction to prevent executionof the at least one document management instruction.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 depicts a block diagram of an example computing system that canmanage access to documents with a file monitor according to anembodiment described herein;

FIG. 2 is an example timing diagram illustrating techniques for managingaccess to documents described herein;

FIG. 3 is a process flow diagram of an example method that can manageaccess to documents with a file monitor according to an embodimentdescribed herein;

FIG. 4 is a tangible, non-transitory computer-readable medium that canmanage access to documents with a file monitor according to anembodiment described herein;

FIG. 5 depicts an illustrative cloud computing environment according toan embodiment described herein; and

FIG. 6 depicts a set of functional abstraction layers provided by acloud computing environment according to an embodiment described herein.

DETAILED DESCRIPTION

Document management systems, such as content management systems and casemanagement systems, can enable users to download or retrieve files.Accordingly, users can access the downloaded files in an offlineenvironment. In some examples, the content management systems or casemanagement systems can restrict user access to files based on userpermissions. However, user permissions for files can change with time.Thus, a user may retrieve or download a file from a content managementsystem or a case management system and access the file despite the userpermission changing subsequent to the file retrieval.

In some embodiments described herein, a device can manage access todocuments with a file monitor, among other components. The device canapply changes to a user's access to data subsequent to a user retrievingor downloading a file. For example, the device can retrieve, via a filemonitor, a file and policy data from a case management system or acontent management system, wherein the file and the policy data areretrieved in response to detecting a user request for the file. Thedevice can also modify, via the file monitor, access to the file basedon the policy data and intercept, via the file monitor, a plurality ofdocument management instructions executed with the file. Additionally,the device can detect, via the file monitor, at least one of thedocument management instructions is a malicious action, wherein themalicious action is detected based on the policy data, and wherein thepolicy data is updated in response to detecting each of the documentmanagement instructions. Furthermore, the device can execute, via thefile monitor, a policy instruction to prevent execution of the at leastone document management instruction.

Accordingly, the techniques described herein can prevent unauthorizedaccess to a document based on a modified access policy. For example, thetechniques described herein can prevent a user from performingunauthorized actions with a document, wherein the unauthorized actionsare based on policy changes implemented subsequent to the userretrieving the document.

With reference now to FIG. 1, an example computing device is depictedthat can manage access to documents with a file monitor. The computingdevice 100 may be for example, a server, desktop computer, laptopcomputer, tablet computer, or smartphone. In some examples, computingdevice 100 may be a cloud computing node. Computing device 100 may bedescribed in the general context of computer system executableinstructions, such as program modules, being executed by a computersystem. Generally, program modules may include routines, programs,objects, components, logic, data structures, and so on that performparticular tasks or implement particular abstract data types. Computingdevice 100 may be practiced in distributed cloud computing environmentswhere tasks are performed by remote processing devices that are linkedthrough a communications network. In a distributed cloud computingenvironment, program modules may be located in both local and remotecomputer system storage media including memory storage devices.

The computing device 100 may include a processor 102 that is adapted toexecute stored instructions, a memory device 104 to provide temporarymemory space for operations of said instructions during operation. Theprocessor can be a single-core processor, multi-core processor,computing cluster, or any number of other configurations. The memory 104can include random access memory (RAM), read only memory, flash memory,or any other suitable memory systems.

The processor 102 may be connected through a system interconnect 106(e.g., PCI®, PCI-Express®, etc.) to an input/output (I/O) deviceinterface 108 adapted to connect the computing device 100 to one or moreI/O devices 110. The I/O devices 110 may include, for example, akeyboard and a pointing device, wherein the pointing device may includea touchpad or a touchscreen, among others. The I/O devices 110 may bebuilt-in components of the computing device 100, or may be devices thatare externally connected to the computing device 100.

The processor 102 may also be linked through the system interconnect 106to a display interface 112 adapted to connect the computing device 100to a display device 114. The display device 114 may include a displayscreen that is a built-in component of the computing device 100. Thedisplay device 114 may also include a computer monitor, television, orprojector, among others, that is externally connected to the computingdevice 100. In addition, a network interface controller (NIC) 116 may beadapted to connect the computing device 100 through the systeminterconnect 106 to the network 118. In some embodiments, the NIC 116can transmit data using any suitable interface or protocol, such as theinternet small computer system interface, among others. The network 118may be a cellular network, a radio network, a wide area network (WAN), alocal area network (LAN), or the Internet, among others. A remote server120 may connect to the computing device 100 through the network 118.

The processor 102 may also be linked through the system interconnect 106to a storage device 122 that can include a hard drive, an optical drive,a USB flash drive, an array of drives, or any combinations thereof. Insome examples, the storage device 122 may include a file manager 124, afile access manager 126, a file modification manager 128, and a policyimplementer 130. In some embodiments, the file manager 124 can retrievea file and policy data from a case management system or a contentmanagement system, wherein the file and the policy data are retrieved inresponse to detecting a user request for the file. In some embodiments,the file access manager 126 can modify access to the file based on thepolicy data. In some embodiments, the file modification manager 128 canintercept a plurality of document management instructions executed withthe file. The file modification manager 128 can also detect at least oneof the document management instructions is a malicious action, whereinthe malicious action is detected based on the policy data, wherein thepolicy data is updated in response to detecting each of the documentmanagement instructions. Furthermore, the policy implementer 130 canexecute a policy instruction to prevent execution of the at least onedocument management instruction.

It is to be understood that the block diagram of FIG. 1 is not intendedto indicate that the computing device 100 is to include all of thecomponents shown in FIG. 1. Rather, the computing device 100 can includefewer or additional components not illustrated in FIG. 1 (e.g.,additional memory components, embedded controllers, modules, additionalnetwork interfaces, etc.). Furthermore, any of the functionalities ofthe file manager 124, file access manager 126, file modification manager128, and policy implementer 130 may be partially, or entirely,implemented in hardware and/or in the processor 102. For example, thefunctionality may be implemented with an application specific integratedcircuit, logic implemented in an embedded controller, or in logicimplemented in the processor 102, among others. In some embodiments, thefunctionalities of the file manager 124, file access manager 126, filemodification manager 128, and policy implementer 130 can be implementedwith logic, wherein the logic, as referred to herein, can include anysuitable hardware (e.g., a processor, among others), software (e.g., anapplication, among others), firmware, or any suitable combination ofhardware, software, and firmware. For example, a file monitor 132 canreside in the storage device 122 and can implement the functionalitiesof the file manager 124, file access manager 126, file modificationmanager 128, and policy implementer 130.

FIG. 2 is an example timing diagram illustrating techniques for managingaccess to documents described herein. At the circled number one (1), acontent management system or a case management system can detect a userrequest to download or retrieve a file. In some embodiments, the casemanagement system, as referred to herein, can include any suitableremote computing device that stores files for a user to access andpolicy data based on a task. A task, as referred to herein, can includeany suitable action to be performed by a user such as generating adocument based on files stored in the case management system. In someembodiments, the files to be retrieved and policy data can reside in acontent management system. A content management system, as referred toherein, can enable users to access particular files regardless of atask. For example, a user can retrieve or download a file from a contentmanagement system and access or modify the retrieved file based onpolicy data stored in the content management system.

At the circled number two (2), the content management system or the casemanager system can transmit or send a requested file to a local machinealong with details indicating how to obtain information about the file.In some examples, the details correspond to policy data, which caninclude permissions for a user or a group of users in relation to afile. For example, the policy data can indicate if data is to beredacted or masked within a retrieved file for users, whether theretrieved files can be copied, and files with certain file types thatcan be generated based on the retrieved file, among others.

At the circled number three (3), a file agent monitor and a networkingtool can monitor the retrieved file on a local machine. For example, thefile agent monitor and the networking tool can monitor instructionsexecuted with the retrieved file. In some embodiments, the file agentmonitor and the networking tool can reside on the local machine. In someembodiments, the networking tool can reside on any suitable externalcomputing device such as a network switch, or a router, among others.

At the circled number four (4), the file agent monitor or the networkingtool can detect an attempt to execute an instruction on the localmachine with the retrieved file and transmit the instruction to aconfigurable bridge to verify that a user is authorized to perform theinstruction. For example, the instruction may include copying theretrieved file, accessing the retrieved file, transmitting the retrievedfile to another user or group of users, or transmitting the file toanother network internet address, among others. In some embodiments, theconfigurable bridge can reside on the local machine or reside on anysuitable external computing device.

At the circled number five (5), the configurable bridge can query astatus of the retrieved file corresponding to the instruction that hasbeen attempted to be executed on the local machine. In some examples,the configurable bridge can query the original source for the retrievedfile such as the content management system or the case managementsystem. The status can indicate if policy data has been modified sincethe retrieved file was transmitted to the local machine. For example,the status can indicate if a user is no longer authorized to access aretrieved file or if a user is no longer authorized to access particularcontent within a retrieved file, among others. In some embodiments, thestatus can indicate that sensitive or confidential information in aretrieved file is to be redacted or masked.

At the circled number six (6), the configurable bridge can transmitapproval or disapproval of the requested instruction to the file agentmonitor or the networking tool. For example, the configurable bridge cantransmit an indication that the instruction that was attempted to beexecuted on the local machine can be executed or is to be blocked by thefile agent monitor or the networking tool.

The timing diagram 200 of FIG. 2 illustrates one example implementationof the operations described herein. In some embodiments, the operationsof the timing diagram 200 can be executed in any particular order, andmay include fewer or additional operations.

FIG. 3 is a process flow diagram of an example method that can manageaccess to documents. The method 300 can be implemented with any suitablecomputing device, such as the computing device 100 of FIG. 1.

At block 302, a file manager 124 can hook into event calls or modify anoperating system to execute the file monitor, wherein the file monitoris to monitor, at a kernel level of the operating system, a plurality ofsystem calls involving locally stored files. In some embodiments,hooking into an event call can include inserting hooks into a processthat enables an application or operating system to intercept functionscalls, messages, or events, among others, passed between varioussoftware components. For example, hooking into an event call can enablean application or process to intercept keyboard or mouse event messagesbefore the keyboard or mouse messages reach an application. In someembodiments, the file manager 124 can modify an operating system toexecute a file monitor. For example, the file manager 124 can modify theoperating system to load an additional library module or the filemanager 124 can modify the import table of an executable. In someembodiments, the file manager 124 can hook into event calls or modify anoperating system to execute the file monitor, wherein the file monitoris to monitor, at a kernel level of the operating system, a plurality ofsystem calls involving locally stored files. In some embodiments, thefile manager 124 can modify a function associated with an applicationused to access the file, wherein the function comprises a print functionor a copy to a temporary storage function.

At block 304, the file manager 124 can retrieve, via a file monitor, afile and policy data from a case management system or a contentmanagement system, wherein the file and the policy data are retrieved inresponse to detecting a user request for the file. In some embodiments,the case management system, as referred to herein, can include anysuitable remote computing device that stores files for a user to accessand policy data based on a task. A task, as referred to herein, caninclude any suitable action to be performed by a user such as generatinga document based on files stored in the case management system. Thepolicy data, as referred to herein, can include permissions for a useror a group of users in relation to a file. For example, the policy datacan indicate if data is to be redacted or masked within a retrieved filefor users, whether the retrieved files can be copied, and files withcertain file types that can be generated based on the retrieved file,among others. In some embodiments, the policy data can indicate anapplication that is authorized to access the file or a list of filetypes that are authorized to be generated from the file based on thepolicy data. For example, a spreadsheet may be prohibited from beingconverted to a text file. In some embodiments, the files to be retrievedand policy data can reside in a content management system. As discussedabove, a content management system can enable users to access particularfiles regardless of a task. For example, a user can retrieve or downloada file from a content management system and perform tasks with theretrieved file based on policy data stored in the content managementsystem.

In some embodiments, the file manager 124 can retrieve a copy of a filebased on a link to an original file in the case management system orcontent management system. In some embodiments, the file manager 124 canretrieve a file in an encrypted format, wherein the policy dataindicates a predetermined encryption key to be used to access the filein the encrypted format. In some embodiments, the file manager 124 canretrieve metadata corresponding to the file from policy data or as aseparate data stream. The metadata can indicate a particular remotedevice that hosts the retrieved file, the file name on the host device,a creation date of the file on the host device, a user or group of userswith administrative access to the file on the host device, if the fileincludes sensitive information such as financial information or personalinformation, and the like.

At block 306, the file access manager 126 can modify, via the filemonitor, access to the file based on the policy data. In someembodiments, the file access manager 126 can apply restrictions toaccess a file based on policy data. The file access manager 126 can be alocally stored application or process that can modify access to aretrieved file. In some embodiments, the file access manager 126 canprevent particular users or groups of users from accessing a retrievedfile, redact or mask portions of retrieved documents, prevent retrievedfiles from being copied, prevent printing retrieved files, and the like.In some embodiments, the file access manager 126 can identify sensitiveinformation and mask the sensitive information by replacing thesensitive information with pseudorandom alphanumeric characters.

At block 308, the file access manager 126 can intercept, via the filemonitor, a plurality of document management instructions executed withthe file. In some embodiments, the file access manager 126 can interceptdocument management instructions corresponding to a retrieved file. Thedocument management instructions, as referred to herein, can include anyinstruction performed based on the retrieved file.

At block 310, the file modification manager 128 can detect, via the filemonitor, at least one of the document management instructions is amalicious action, wherein the malicious action is detected based on thepolicy data. In some examples, the policy data can be updated inresponse to detecting each of the document management instructions. Forexample, the file modification manager 128 can detect each documentmanagement instruction for a retrieved file and send a request to a casemanagement system or a content management system to determine if policydata for the retrieved file has been modified. In some embodiments, astatus of a case in a case management system can be modified withoutmodifying the file policy data in a remote system and a file monitoringapplication residing on the remote system can change access permissionsto a file in response to determining that the status of the case haschanged. For example, if the case was owned by a first user and thenmoved to a second user, the system can redact any document that isaccessed by the first user. If the policy data has been modified, thefile modification manager 128 can update the policy data stored locallyand determine if access to the file is to be prevented based on theupdated policy data. If the policy data has not been modified, the filemodification manager 128 can determine if access to a retrieved file isto be prevented based on the original policy data.

The file modification manager 128 can detect a malicious documentmanagement instruction or action that attempts to access portions of adocument that are unauthorized for a user or a group of users, orattempts to copy the retrieved file to a removable storage device, amongothers. In some embodiments the malicious action can include modifying auser's access to include root access. In some examples, the maliciousaction can include encrypting the file with an unknown source orencryption key. In some examples, the malicious action can includetransferring the file to an unauthorized group of users. In someembodiments, a malicious action can include a user attempting totransmit a password used to access the retrieved file to another uservia electronic mail. In some examples, a malicious action can alsoinclude a user attempting to access a document with an expired passwordthat was updated subsequent to the original retrieval of the document.

At block 312, the policy implementer 130 can execute, via the filemonitor, a policy instruction to prevent execution of the at least onedocument management instruction. The policy implementer 130 can detectthat a user has attempted to execute a document management instructionthat is prohibited by the policy data. The policy implementer 130 canprevent the document management instruction from being executed andtransmit an alert to a case management system or a content managementsystem. For example, the policy implementer 130 can detect that a userattempted to execute a document management instruction that transmitteda retrieved document to unauthorized users. The policy implementer 130can generate and transmit a notification or email to the case managementsystem or the content management system indicating the unauthorizeddocument management instruction. In some embodiments, the policyimplementer 130 can prevent a user from accessing any retrieveddocuments from a case management system or a content management systemfollowing an attempt by the user to perform a malicious action.

In some embodiments, the policy implementer 130 can block a system callto access a retrieved file in response to detecting a user of theoperating system is unauthorized to access the file based on the policydata. In some embodiments, the policy implementer 130 can detect atransfer of a file to a remote device and alert a network monitoringtool to determine if the transfer to the remote device violates thepolicy data. In some embodiments, the policy instruction can includeredacting sensitive data, masking sensitive data, or preventing anoperating system from changing a file type of the file to a second filetype.

The process flow diagram of FIG. 3 is not intended to indicate that theoperations of the method 300 are to be executed in any particular order,or that all of the operations of the method 300 are to be included inevery case. For example, the method 300 can include detecting sensitivedata in the file, detecting a second retrieved file from a casemanagement system with a similarity to the file above a threshold value,and modifying a policy for the second file to indicate that the secondfile comprises sensitive data. In some examples, the method 300 caninclude masking or redacting sensitive information in the second filebased on the similarity to the first file. Sensitive information, asreferred to herein, can include financial information, government issuedidentification information, personal information such as a date ofbirth, and the like. In some embodiments, the similarity of two filescan indicate that two files both include fields populated with thesensitive information.

The present invention may be a system, a method, and/or a computerprogram product. The computer program product may include a computerreadable storage medium (or media) having computer readable programinstructions thereon for causing a processor to carry out aspects of thepresent invention.

The computer readable storage medium can be a tangible device that canretain and store instructions for use by an instruction executiondevice. The computer readable storage medium may be, for example, but isnot limited to, an electronic storage device, a magnetic storage device,an optical storage device, an electromagnetic storage device, asemiconductor storage device, or any suitable combination of theforegoing. A non-exhaustive list of more specific examples of thecomputer readable storage medium includes the following: a portablecomputer diskette, a hard disk, a random access memory (RAM), aread-only memory (ROM), an erasable programmable read-only memory (EPROMor Flash memory), a static random access memory (SRAM), a portablecompact disc read-only memory (CD-ROM), a digital versatile disk (DVD),a memory stick, a floppy disk, a mechanically encoded device such aspunch-cards or raised structures in a groove having instructionsrecorded thereon, and any suitable combination of the foregoing. Acomputer readable storage medium, as used herein, is not to be construedas being transitory signals per se, such as radio waves or other freelypropagating electromagnetic waves, electromagnetic waves propagatingthrough a waveguide or other transmission media (e.g., light pulsespassing through a fiber-optic cable), or electrical signals transmittedthrough a wire.

Computer readable program instructions described herein can bedownloaded to respective computing/processing devices from a computerreadable storage medium or to an external computer or external storagedevice via a network, for example, the Internet, a local area network, awide area network and/or a wireless network. The network may comprisecopper transmission cables, optical transmission fibers, wirelesstransmission, routers, firewalls, switches, gateway computers and/oredge servers. A network adapter card or network interface in eachcomputing/processing device receives computer readable programinstructions from the network and forwards the computer readable programinstructions for storage in a computer readable storage medium withinthe respective computing/processing device.

Computer readable program instructions for carrying out operations ofthe present invention may be assembler instructions,instruction-set-architecture (ISA) instructions, machine instructions,machine dependent instructions, microcode, firmware instructions,state-setting data, or either source code or object code written in anycombination of one or more programming languages, including an objectoriented programming language such as Smalltalk, C++ or the like, andconventional procedural programming languages, such as the “C”programming language or similar programming languages. The computerreadable program instructions may execute entirely on the user'scomputer, partly on the user's computer, as a stand-alone softwarepackage, partly on the user's computer and partly on a remote computeror entirely on the remote computer or server. In the latter scenario,the remote computer may be connected to the user's computer through anytype of network, including a local area network (LAN) or a wide areanetwork (WAN), or the connection may be made to an external computer(for example, through the Internet using an Internet Service Provider).In some embodiments, electronic circuitry including, for example,programmable logic circuitry, field-programmable gate arrays (FPGA), orprogrammable logic arrays (PLA) may execute the computer readableprogram instructions by utilizing state information of the computerreadable program instructions to personalize the electronic circuitry,in order to perform aspects of the present invention.

Aspects of the present invention are described herein with reference toflowchart illustrations and/or block diagrams of methods, apparatus(systems), and computer program products according to embodiments of theinvention. It will be understood that each block of the flowchartillustrations and/or block diagrams, and combinations of blocks in theflowchart illustrations and/or block diagrams, can be implemented bycomputer readable program instructions.

These computer readable program instructions may be provided to aprocessor of a general purpose computer, special purpose computer, orother programmable data processing apparatus to produce a machine, suchthat the instructions, which execute via the processor of the computeror other programmable data processing apparatus, create means forimplementing the functions/acts specified in the flowchart and/or blockdiagram block or blocks. These computer readable program instructionsmay also be stored in a computer readable storage medium that can directa computer, a programmable data processing apparatus, and/or otherdevices to function in a particular manner, such that the computerreadable storage medium having instructions stored therein comprises anarticle of manufacture including instructions which implement aspects ofthe function/act specified in the flowchart and/or block diagram blockor blocks.

The computer readable program instructions may also be loaded onto acomputer, other programmable data processing apparatus, or other deviceto cause a series of operational steps to be performed on the computer,other programmable apparatus or other device to produce a computerimplemented process, such that the instructions which execute on thecomputer, other programmable apparatus, or other device implement thefunctions/acts specified in the flowchart and/or block diagram block orblocks.

The flowchart and block diagrams in the Figures illustrate thearchitecture, functionality, and operation of possible implementationsof systems, methods, and computer program products according to variousembodiments of the present invention. In this regard, each block in theflowchart or block diagrams may represent a module, segment, or portionof instructions, which comprises one or more executable instructions forimplementing the specified logical functions. In some alternativeimplementations, the functions noted in the block may occur out of theorder noted in the figures. For example, two blocks shown in successionmay, in fact, be executed substantially concurrently, or the blocks maysometimes be executed in the reverse order, depending upon thefunctionality involved. It will also be noted that each block of theblock diagrams and/or flowchart illustration, and combinations of blocksin the block diagrams and/or flowchart illustration, can be implementedby special purpose hardware-based systems that perform the specifiedfunctions or acts or carry out combinations of special purpose hardwareand computer instructions.

Referring now to FIG. 4, a block diagram is depicted of an example of atangible, non-transitory computer-readable medium that can manage accessto documents with a file monitor. The tangible, non-transitory,computer-readable medium 400 may be accessed by a processor 402 over acomputer interconnect 404.

Furthermore, the tangible, non-transitory, computer-readable medium 400may include code to direct the processor 402 to perform the operationsof the current method. For example, a file manager 406 can hook intoevent calls or modify an operating system to execute the file monitor,wherein the file monitor is to monitor, at a kernel level of theoperating system, a plurality of system calls involving locally storedfiles. In some embodiments, the file manager 406 can also retrieve, viaa file monitor, a file and policy data from a case management system ora content management system, wherein the file and the policy data areretrieved in response to detecting a user request for the file. In someembodiments, a file access manager 408 can modify, via the file monitor,access to the file based on the policy data. In some embodiments, a filemodification manager 410 can intercept, via the file monitor, aplurality of document management instructions executed with the file.The file modification manager 410 can also detect, via the file monitor,at least one of the document management instructions is a maliciousaction, wherein the malicious action is detected based on the policydata, and wherein the policy data is updated in response to detectingeach of the document management instructions. Furthermore, a policyimplementer 412 can execute, via the file monitor, a policy instructionto prevent execution of the at least one document managementinstruction.

It is to be understood that any number of additional software componentsnot shown in FIG. 4 may be included within the tangible, non-transitory,computer-readable medium 400, depending on the specific application. Forexample, a file monitor can also reside on the non-transitorycomputer-readable medium 400, which can implement the functionalities ofthe file manager 406, file access manager 408, file modification manager410, and policy implementer 412. Furthermore, fewer software componentsthan those shown in FIG. 4 can be included in the tangible,non-transitory, computer-readable medium 400.

Referring now to FIG. 5, illustrative cloud computing environment 500 isdepicted. As shown, cloud computing environment 500 comprises one ormore cloud computing nodes 502 with which local computing devices usedby cloud consumers, such as, for example, personal digital assistant(PDA) or cellular telephone 504A, desktop computer 504B, laptop computer504C, and/or automobile computer system 504N may communicate. Nodes 502may communicate with one another. They may be grouped (not shown)physically or virtually, in one or more networks, such as Private,Community, Public, or Hybrid clouds as described hereinabove, or acombination thereof. This allows cloud computing environment 500 tooffer infrastructure, platforms and/or software as services for which acloud consumer does not need to maintain resources on a local computingdevice. It is understood that the types of computing devices 504A-Nshown in FIG. 5 are intended to be illustrative only and that computingnodes 502 and cloud computing environment 500 can communicate with anytype of computerized device over any type of network and/or networkaddressable connection (e.g., using a web browser).

Referring now to FIG. 6, a set of functional abstraction layers providedby cloud computing environment 500 (FIG. 5) is shown. It should beunderstood in advance that the components, layers, and functions shownin FIG. 6 are intended to be illustrative only and embodiments of theinvention are not limited thereto. As depicted, the following layers andcorresponding functions are provided.

Hardware and software layer 600 includes hardware and softwarecomponents. Examples of hardware components include mainframes, in oneexample IBM® zSeries® systems; RISC (Reduced Instruction Set Computer)architecture based servers, in one example IBM pSeries® systems; IBMxSeries® systems; IBM BladeCenter® systems; storage devices; networksand networking components. Examples of software components includenetwork application server software, in one example IBM WebSphere®application server software; and database software, in one example IBMDB2® database software. (IBM, zSeries, pSeries, xSeries, BladeCenter,WebSphere, and DB2 are trademarks of International Business MachinesCorporation registered in many jurisdictions worldwide).

Virtualization layer 602 provides an abstraction layer from which thefollowing examples of virtual entities may be provided: virtual servers;virtual storage; virtual networks, including virtual private networks;virtual applications and operating systems; and virtual clients. In oneexample, management layer 604 may provide the functions described below.Resource provisioning provides dynamic procurement of computingresources and other resources that are utilized to perform tasks withinthe cloud computing environment. Metering and Pricing provide costtracking as resources are utilized within the cloud computingenvironment, and billing or invoicing for consumption of theseresources. In one example, these resources may comprise applicationsoftware licenses. Security provides identity verification for cloudconsumers and tasks, as well as protection for data and other resources.User portal provides access to the cloud computing environment forconsumers and system administrators. Service level management providescloud computing resource allocation and management such that requiredservice levels are met. Service Level Agreement (SLA) planning andfulfillment provide pre-arrangement for, and procurement of, cloudcomputing resources for which a future requirement is anticipated inaccordance with an SLA.

Workloads layer 606 provides examples of functionality for which thecloud computing environment may be utilized. Examples of workloads andfunctions which may be provided from this layer include: mapping andnavigation; software development and lifecycle management; virtualclassroom education delivery; data analytics processing; transactionprocessing; and managing access to documents.

The descriptions of the various embodiments of the present inventionhave been presented for purposes of illustration, but are not intendedto be exhaustive or limited to the embodiments disclosed. Manymodifications and variations will be apparent to those of ordinary skillin the art without departing from the scope and spirit of the describedembodiments. The terminology used herein was chosen to best explain theprinciples of the embodiments, the practical application or technicalimprovement over technologies found in the marketplace, or to enableothers of ordinary skill in the art to understand the embodimentsdisclosed herein.

1. A method for managing access to documents comprising: retrieving, viaa file monitor, a file and policy data from a case management system ora content management system, wherein the file and the policy data areretrieved in response to detecting a user request for the file, whereinthe policy data indicates a list of file types that are authorized to begenerated from the file based on the policy data, indicates anapplication that is authorized to access the file, and indicates apredetermined encryption key to be used to access the file in anencrypted format when the file is encrypted; modifying, via the filemonitor, access to the file based on the policy data; intercepting, viathe file monitor, a plurality of document management instructionsexecuted with the file, wherein the plurality of document managementinstructions are instructions performed based on retrieving the file;detecting, via the file monitor, at least one of the document managementinstructions is a malicious action, wherein the malicious action isdetected based on the policy data, wherein the policy data is updated inresponse to detecting each of the document management instructions; andexecuting, via the file monitor, a policy instruction to preventexecution of the at least one document management instruction, whereinthe policy instruction comprises masking sensitive data, preventing theoperating system from changing a file type of the file to a second filetype, prevent retrieved files from being copied, and prevent printingretrieved files, wherein masking comprises replacing a portion of thefile with pseudorandom alphanumeric characters; detecting sensitive datain the file; detecting a second retrieved file from the case managementsystem with a similarity to the file above a threshold value; andmodifying a policy for the second file to indicate that the second filecomprises sensitive data.